[openssh-commits] [openssh] 01/07: upstream: Fix cases in GSSAPI and keyboard-interactive
git+noreply at mindrot.org
git+noreply at mindrot.org
Mon Jul 6 19:03:46 AEST 2026
This is an automated email from the git hooks/post-receive script.
djm pushed a commit to branch V_10_4
in repository openssh.
commit d43ba60c91cb323ca921049b7d43b1908c318454
Author: djm at openbsd.org <djm at openbsd.org>
AuthorDate: Mon Jul 6 07:44:48 2026 +0000
upstream: Fix cases in GSSAPI and keyboard-interactive
authentication where the minimum per-attempt delay was not being enforced.
Reported by Orange Cyberdefense Vulnerability Team
OpenBSD-Commit-ID: c40bd35cc2428fcaccad7a141703c28baa6da01e
---
auth.h | 3 ++-
auth2-chall.c | 6 +++++-
auth2-gss.c | 9 ++++++++-
auth2.c | 12 +++++++++---
4 files changed, 24 insertions(+), 6 deletions(-)
diff --git a/auth.h b/auth.h
index 634a84aa8..0f11458ca 100644
--- a/auth.h
+++ b/auth.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.h,v 1.109 2026/02/06 01:24:36 djm Exp $ */
+/* $OpenBSD: auth.h,v 1.110 2026/07/06 07:44:48 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -175,6 +175,7 @@ void auth_log(struct ssh *, int, int, const char *, const char *);
void auth_maxtries_exceeded(struct ssh *) __attribute__((noreturn));
void userauth_finish(struct ssh *, int, const char *, const char *);
int auth_root_allowed(struct ssh *, const char *);
+void auth_failure_delay(Authctxt *, double);
char *auth2_read_banner(void);
int auth2_methods_valid(const char *, int);
diff --git a/auth2-chall.c b/auth2-chall.c
index f3889079b..8a23ca2dc 100644
--- a/auth2-chall.c
+++ b/auth2-chall.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-chall.c,v 1.60 2026/03/03 09:57:25 dtucker Exp $ */
+/* $OpenBSD: auth2-chall.c,v 1.61 2026/07/06 07:44:48 djm Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
* Copyright (c) 2001 Per Allansson. All rights reserved.
@@ -300,6 +300,7 @@ input_userauth_info_response(int type, uint32_t seq, struct ssh *ssh)
u_int i, nresp;
const char *devicename = NULL;
char **response = NULL;
+ double tstart = monotime_double();
if (authctxt == NULL)
fatal_f("no authctxt");
@@ -358,6 +359,9 @@ input_userauth_info_response(int type, uint32_t seq, struct ssh *ssh)
auth2_challenge_start(ssh);
}
}
+
+ if (!authenticated)
+ auth_failure_delay(authctxt, tstart);
userauth_finish(ssh, authenticated, "keyboard-interactive",
devicename);
return 0;
diff --git a/auth2-gss.c b/auth2-gss.c
index 053548527..355926afc 100644
--- a/auth2-gss.c
+++ b/auth2-gss.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-gss.c,v 1.39 2026/03/03 09:57:25 dtucker Exp $ */
+/* $OpenBSD: auth2-gss.c,v 1.40 2026/07/06 07:44:48 djm Exp $ */
/*
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -255,6 +255,7 @@ input_gssapi_exchange_complete(int type, uint32_t plen, struct ssh *ssh)
{
Authctxt *authctxt = ssh->authctxt;
int r, authenticated;
+ double tstart = monotime_double();
if (authctxt == NULL)
fatal("No authentication or GSSAPI context");
@@ -268,6 +269,8 @@ input_gssapi_exchange_complete(int type, uint32_t plen, struct ssh *ssh)
fatal_fr(r, "parse packet");
authenticated = mm_ssh_gssapi_userok(authctxt->user);
+ if (!authenticated)
+ auth_failure_delay(authctxt, tstart);
authctxt->postponed = 0;
ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
@@ -288,6 +291,7 @@ input_gssapi_mic(int type, uint32_t plen, struct ssh *ssh)
gss_buffer_desc mic, gssbuf;
u_char *p;
size_t len;
+ double tstart = monotime_double();
if (authctxt == NULL)
fatal("No authentication or GSSAPI context");
@@ -315,6 +319,9 @@ input_gssapi_mic(int type, uint32_t plen, struct ssh *ssh)
sshbuf_free(b);
free(mic.value);
+ if (!authenticated)
+ auth_failure_delay(authctxt, tstart);
+
authctxt->postponed = 0;
ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
ssh_dispatch_set(ssh, SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
diff --git a/auth2.c b/auth2.c
index 3a1682746..3f353a719 100644
--- a/auth2.c
+++ b/auth2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2.c,v 1.173 2026/03/03 09:57:25 dtucker Exp $ */
+/* $OpenBSD: auth2.c,v 1.174 2026/07/06 07:44:48 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@@ -265,6 +265,12 @@ ensure_minimum_time_since(double start, double seconds)
nanosleep(&ts, NULL);
}
+void
+auth_failure_delay(Authctxt *authctxt, double tstart)
+{
+ ensure_minimum_time_since(tstart, user_specific_delay(authctxt->user));
+}
+
static int
input_userauth_request(int type, uint32_t seq, struct ssh *ssh)
{
@@ -346,8 +352,8 @@ input_userauth_request(int type, uint32_t seq, struct ssh *ssh)
authenticated = m->userauth(ssh, method);
}
if (!authctxt->authenticated && strcmp(method, "none") != 0)
- ensure_minimum_time_since(tstart,
- user_specific_delay(authctxt->user));
+ auth_failure_delay(authctxt, tstart);
+
userauth_finish(ssh, authenticated, method, NULL);
r = 0;
out:
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list